SAQ A has been developed to address requirements applicable to merchants who retain only paper reports or receipts with cardholder data, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises.
SAQ A merchants, defined here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises. Such merchants validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that:
- Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions;
- Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on third party service provider(s) to handle all these functions;
- Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;
- Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and
- Your company does not store any cardholder data in electronic format.
This option would never apply to merchants with a face-to-face POS environment.
Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI DSS Requirements and Security Assessment Procedures. This shortened version of the SAQ includes questions which apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment which are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
Have more questions? Submit a request